Red Hat Bugzilla – Bug 1508781
[CRI-O] should support sysctls feature
Last modified: 2018-03-28 10:10:51 EDT
Description of problem: Now in cri-o env when create pod with sysctls, it always with "runtime cri-o does not support sysctls" We should support this feature Version-Release number of selected component (if applicable): openshift v3.7.0-0.188.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 How reproducible: Always Steps to Reproduce: 1.Create a pod with "sysctls=kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=33768 61000" then check pod status [root@ip-172-18-14-130 ~]# oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-safe.yaml -n dma pod "hello-pod" created [root@ip-172-18-14-130 ~]# oc get po -n dma NAME READY STATUS RESTARTS AGE hello-pod 0/1 SysctlUnsupported 0 4s [root@ip-172-18-14-130 ~]# oc describe po hello-pod -n dma Name: hello-pod Namespace: dma Node: ip-172-18-14-130.ec2.internal/ Start Time: Thu, 02 Nov 2017 04:22:13 -0400 Labels: name=hello-pod Annotations: openshift.io/scc=anyuid security.alpha.kubernetes.io/sysctls=kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=33768 61000 Status: Failed Reason: SysctlUnsupported Message: Pod runtime cri-o does not support sysctls IP: Containers: hello-pod: Image: docker.io/deshuai/hello-pod:latest Port: 8080/TCP Environment: <none> Mounts: /tmp from tmp (rw) /var/run/secrets/kubernetes.io/serviceaccount from default-token-fkj85 (ro) Volumes: tmp: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: default-token-fkj85: Type: Secret (a volume populated by a Secret) SecretName: default-token-fkj85 Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: <none> Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 16s 16s 1 kubelet, ip-172-18-14-130.ec2.internal Warning SysctlUnsupported runtime cri-o does not support sysctls 16s 16s 1 default-scheduler Normal Scheduled Successfully assigned hello-pod to ip-172-18-14-130.ec2.internal Actual results: Expected results: Additional info:
That doesn't mean the containers aren't actually created with sysctls. We should be using sysctl annotations in Openshift 3.7 so could you perhaps please sh in a container and verify?
Patch being back ported to 3.7 here: https://github.com/openshift/origin/pull/17274
Patch merged in origin
Verify on ocp3.9 # openshift version openshift v3.9.0-0.16.0 kubernetes v1.9.0-beta1 etcd 3.2.8 # ./rootfs/usr/bin/crio --version crio version 1.8.2 # oc adm new-project dma Created project dma # oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/sysctls/pod-sysctl-safe.yaml -n dma pod "hello-pod" created # oc get po -n dma NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 34s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489